Managing Forwarding Rules

If you want Resolver to forward queries for specified domain names to your network,
you create one forwarding rule
for each domain name and specify the name of the domain for which you want to forward
queries.

Associating Forwarding Rules with a VPC

After you create a forwarding rule, you must associate the rule with one or more VPCs.
When you associate a rule with
a VPC, Resolver starts to forward DNS queries for the domain name that's specified
in the rule to the DNS resolvers
that you specified in the rule. The queries pass through the outbound endpoint
that you specified when you created
the rule.

Choose the option for the rule that you want to disassociate from one or more VPCs.

Choose Edit.

Under Select a VPC in the region: region-name,
choose the X for each VPC that you want to disassociate the rule from.

Choose Submit.

Sharing Forwarding Rules with Other AWS Accounts and Using Shared Rules

You can share the forwarding rules that you created using one AWS account with other
AWS accounts. To share rules,
the Route 53 Resolver console integrates with AWS Resource Access Manager. For
more information about Resource Access Manager, see the
Resource Access Manager User Guide.

Note the following:

Associating shared rules with VPCs

If another AWS account has shared one or more rules with your account, you can associate
the rules
with your VPCs the same way that you associate rules that you created with
your VPCs. For more information, see
Associating Forwarding Rules with a VPC.

Deleting or unsharing a rule

If you share a rule with other accounts and then either delete the rule or stop sharing
it,
and if the rule was associated with one or more VPCs, Route 53 Resolver starts
to process DNS queries for those VPCs
based on the remaining rules. The behavior is the same as if you disassociate
the rule from the VPC.

Limits on rules

When an account creates a rule and shares it with one or more other accounts, the
limit on the
number of rules per AWS Region applies to the account that created the rule.

When an account that a rule is shared with associates the rule with one or more VPCs,
the limit on the
number of associations between rules and VPCs per Region applies to the account
that the rule is shared with.

To share a rule with another AWS account, you must have permission to use the
PutResolverRulePolicy action.

Restrictions on the AWS account that a rule is shared with

The account that a rule is shared with can't change or delete the rule.

Tagging

Only the account that created a rule can add, delete, or see tags on the rule.

To view the current sharing status of a rule (including the account that shared the
account or the account that a rule is
shared with), and to share rules with another account, perform the following procedure.

The Sharing status column shows the current sharing status of rules that were created by the
current account or that are shared with the current account:

Not shared: The current AWS account created the rule, and the rule
is not shared with any other accounts.

Shared by me: The current account created the rule and shared it with
one or more accounts.

Shared with me: Another account created the rule and shared it with
the current account.

Choose the name of the rule that you want to display sharing information for or that
you want to share with
another account.

On the Rule: rule name page, the value under Owner
displays ID of the account that created the rule. That's the current account
unless the value of Sharing status
is Shared with me. In that case, Owner is the account that created the rule and
shared it with the current account.

Choose Share to view additional information or to share the rule with another account.
A page in the Resource Access Manager console appears, depending on the value
of Sharing status:

Not shared: The Create resource share page
appears. For information about how to share the rule with another account,
OU, or organization, skip to step 6.

Shared by me: The Shared resources page shows
the rules and other resources that are owned by the current account and shared
with other accounts.

Shared with me: The Shared resources page shows
the rules and other resources that are owned by other accounts and shared with
the current account.

To share a rule with another AWS account, OU, or organization, specify the following
values.

Note

You can't update sharing settings. If you want to change any of the following settings,
you must
reshare a rule with the new settings and then remove the old sharing settings.

Description

Enter a short description that helps you remember why you shared the rule.

Resources

Choose the check box for the rule that you want to share.

Principals

Enter the AWS account number, OU name, or organization name.

Tags

Specify one or more keys and the corresponding values. For example, you might specify
Cost center for Key and specify 456 for Value.

These are the tags that AWS Billing and Cost Management provides for organizing your
AWS bill; you can use also tags for other purposes.
For more information about using tags for cost allocation, see
Use Cost Allocation Tags for Custom Billing Reports
in the AWS Billing and Cost Management User Guide.

You can't delete the default Internet Resolver rule, which has a value of Recursive
for Type. This rule causes Route 53 Resolver to act as a recursive resolver for any domain
names that you didn't
create custom rules for and that Resolver didn't create autodefined rules for.
For more information about how rules are categorized, see
Using Rules to Control Which Queries Are Forwarded
to Your Network.